Firewalld Blocking SSH between Clients on WireGuard LAN

debian firewalld wireguard

While firewalld is generally an excellent tool for configuring the firewall on a Linux box, for this particular use case -- forwarding traffic for other hosts -- it's kind of a pain in the neck to use. I would suggest turning it off on your server, and just using iptables (or nftables) directly.

If you really want to use firewalld, however, try this (as root):

1. Create a custom zone for your WireGuard interface that accepts all traffic:
firewall-cmd --permanent --new-zone=mywg
firewall-cmd --permanent --zone=mywg --set-target=ACCEPT
firewall-cmd --reload
2. Add "rich" rules to the zone to reject inbound connections from WireGuard to the server itself:
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv4" priority="30001" protocol value="tcp" reject'
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv4" priority="30002" protocol value="udp" reject'
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv6" priority="30003" protocol value="tcp" reject'
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv6" priority="30004" protocol value="udp" reject'
3. Add "direct" rules to allow forwarding of IPv4 SSH connections between other WireGuard hosts, and reject everything else:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i wg0 -o wg0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 2 -i wg0 -j REJECT
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i wg0 -j REJECT
4. Bind the zone to your WireGuard interface and save your changes:
firewall-cmd --zone=mywg --add-interface=wg0
firewall-cmd --runtime-to-permanent

You can add more IPv4 direct rules between 0 and 2 (renumbering the REJECT rule to be last) if you want to allow other types of traffic between your WireGuard hosts (or just replace rules 0 and 1 with a single rule like -i wg0 -o wg0 -J ACCEPT if you want to allow the server to forward any and all traffic between your WireGuard hosts).

See Hub and Spoke section of this How to Use WireGuard With Firewalld article for a full explanation (Host C is your server in this article).

Related

Moving LVM volume group from one physical disk onto another
Apache - listen only on specific domain, not IP
Failed to connect to 127.0.0.1 port 80
Why is it spelled "maintenance" and not "maintainance?"
Past tense of 'to output': output or outputted?
What do you call a word that has multiple senses or parts of speech in one sentence?
Should it be folk or folks?
How to punctuate an example indicated by "say"
What is the difference in usage between "lethal" and "fatal"?
What is the difference between illegal and unlawful?
Indian English: What usage is allowed for "doubt" (meaning "question")?
What's the etymology of "props"?